lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 05 Apr 2012 10:39:20 -0400
From: Champ Clark III <>
Subject: Sagan 0.2.1 [Security Event/Log Analyzer]

Hash: SHA1

Sagan version 0.2.1 has been released []
Champ Clark III []

What is Sagan?
- --------------

Sagan Main Site:

Sagan is an open source (GNU/GPLv2) high performance, real-time log
analysis & correlation engine.  It is written in C and uses a
multi-threaded architecture to deliver high performance log & event
analysis. The Sagan structure and Sagan rules work similarly to the
Sourcefire ?Snort? IDS engine. This was intentionally done to maintain
compatibility with rule management software
(oinkmaster/pulledpork/etc) and allows Sagan to correlate log events
with your Snort IDS/IPS system. Since Sagan can write to Snort IDS/IPS
databases via unified2/barnyard2 or direct SQL access, it is
compatible with all Snort ?consoles?. For example, Sagan is compatible
with Snorby [], Sguil
[] and the Prelude IDS framework!  For
more information, please visit the Sagan web site:

What's new in Sagan?
- --------------------

- - Native Snortsam [] support. Snortsam is a
firewall blocking agent for Snort. Sagan can now leverage Snortsam to
block attacks based on log analysis and normalization. Snortsam
currently supports Checkpoint Firewall-1, Cisco PIX/ASA, Cisco
routers, Juniper/Netscreen, ipf/ipfw2 (FreeBSD), pf (OpenBSD),
ipchains/iptables/ebtables (Linux),  Watchguard, 8signs (Windows), and
MS ISA Server (Windows).

- - New ?after? rule option ? For example, ?alert me after X number of
events?.  This works great with thresholding. For example, ?Alert me
after X number events, but threshold by the source address when 10
events are reached?.

- - New DNS cache system ? Ideally, you will never need this feature but
in some environments it can't be avoided.

- - Several bug fixes/code clean up (SQL direct write improved, core
thread handling changed, etc)

What's in the future for Sagan?
- -------------------------------

- - New pre-processors for log analysis for better anomaly detection.
- - Better documentation.
- - New output plug-ins.

Where is an online demo?
- -----------------------

For an online demo of Sagan and Snorby in action, please go to:
Password: snorby

You'll notice the ?Sagan? sensor online and reporting log data.

- ------------------

General questions about Sagan should be directed to the Sagan mailing
list.   This can be found at You can also ask question
on the Sagan IRC channel ( #sagan). Author specific
questions should be directed to Champ Clark III (

Thank you!

- -- 
- - Champ Clark III (
  Quadrant Information Security (
  Key Fingerprint: 2E56 C2EB 1B25 C517 D5BA 2DCF 5E70 B2F8 0381 878A
  GPG Key ID: 0381878A
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists